The Hacking Team Leak, Zero-Days, Patches, and More Zero-Days [updated]

A lot has happened since the surveillance software company Hacking Team got hacked last week. The breach exposed hundreds of gigabytes of their internal data online—including proof-of-concept exploits for Adobe Flash Player vulnerabilities, and one for the Windows Kernel—basically opening a Pandora's box of exploits and vulnerabilities to the Internet.

Evidently, a lot of individuals opened that box, saw what was inside, and ran with it. After the leak, a number of exploit kits 1

have been updated to include the exploit for the first Flash vulnerability (CVE-2015-5119), which, according to Adobe, affected all versions of Flash Player. The first identified zero-day vulnerability has already been acknowledged and patched by Adobe on July 8th.

It didn't stop there though. A few days later, another zero-day vulnerability (CVE-2015-5122) was found from the Hacking Team leak that, if exploited, could allow an attacker to take control of the vulnerable system. This second known vulnerability was identified as a proof-of-concept that currently remains unpatched. A third zero-day vulnerability (CVE-2015-5123)—another POC from the Hacking Team leak—surfaced shortly after.

The two new vulnerabilities make for three Adobe Flash Player vulnerabilities in a week. Both CVE-2015-5122 and CVE-2015-5123 remain unpatched, and it's recommended that users temporarily disable Flash to avoid possible attacks. Trend Micro Deep Security features vulnerability protection that protects users from threats related to this vulnerability.

The breach exposed hundreds of gigabytes of their internal data online, basically opening a Pandora's box of exploits and vulnerabilities to the Internet.

Adobe has released a security advisory that tags them as critical vulnerabilities that affect Flash Player 18.0.0.204 and earlier versions for Windows, Mac, and Linux. Adobe expects to release an update that fixes these two vulnerabilities "during the week of July 12, 2015." Stay tuned for updates.

Update - July 14: After finding three separate zero-days that affected Adobe Flash, another zero-day—still connected to the Hacking Team incident—has been discovered. Designated as CVE-2015-2425, this vulnerability is an Internet Explorer flaw that can allow an attacker to take over a user's system. There are no known attacks that exploit this vulnerability, but Microsoft has published a security bulletin for the critical flaw, and has already released a fix for this in their latest Patch Tuesday update.

Update – July 16: The Hacking Team's leaked files totaled 400GB, and it wasn't limited to vulnerabilities. An analysis of the files also revealed mobile threats that can affect iOS and Android platforms. First came a report about HT's surveillance software that could be slipped into a non-jailbroken phone. Then Trend Micro researchers found a fake news app that can circumvent filtering in Google Play. Called "BeNews", it's possible that the app was used as a lure for downloading RCSAndroid malware into a target's device. 2

Update – July 20: A Windows zero-day vulnerability has been discovered in the Hacking Team's leaked files. Discovered by Trend Micro researchers, the vulnerability could be used to cause a Windows local privilege escalation (LPE) that would allow attackers to infect a victim's system. Exploiting this flaw could allow an attacker to remotely control the affected system . The vulnerability (CVE-2015-2426) has already been reported to Microsoft, and a patch has already been released to fix it.

Update – July 21: More on the mobile front: the code for Hacking Team's open-source malware suite RCSAndroid (Remote Control System Android) has been found in the leaked files. The company was selling RCSAndroid as a tool for monitoring targets. The code can be considered as one of the most sophisticated, professionally developed Android malware ever exposed, and allows the RCSAndroid app to run a number of intrusive spy routines. 3

It's very powerful, and it's currently out in the wild and available for cybercriminals to tweak for their purposes.

For now, users are recommended to avoid installing apps from third-party sources, update to the latest OS version, and install a mobile security solution. 4

2017 MIDYEAR SECURITY ROUNDUP

2018 SECURITY PREDICTIONS

Today's increasingly interconnected environments pave the way for threats that will bank on systems' weaknesses for different forms of cybercrime. How can you prepare for the year ahead?View the 2018 Security Predictions